Release workflow updates

[wileyj]

works in conjuction with stacks-network/actions#73

• Adds image attestation for docker images built from source
• only build stacks-inspect in the core-build-tests workflow to save compiling time
• Adds image attestation via Add image and binary attestation actions#73 for the github-release workflow (with required env checks).

note: there are 2 approvals required for the release workflow in this PR:

1. initial approval to build the arch release binary archives
2. second approval to publish the docker images

Example workflows using these changes and the composite changes:
stacks-core:
https://github.com/wileyj/stacks-core/actions/runs/14383958535/job/40336789316
https://hub.docker.com/repository/docker/wileyj/stacks-signer/tags?name=0.0.0.5.0
https://hub.docker.com/repository/docker/wileyj/stacks-core/tags?name=0.0.0.0.5
https://hub.docker.com/repository/docker/wileyj/stacks-blockchain/tags?name=0.0.0.0.5

signer:
https://github.com/wileyj/stacks-core/actions/runs/14386084069
https://hub.docker.com/repository/docker/wileyj/stacks-signer/tags?name=0.0.0.5.1

images may be attested i.e:

 $ gh attestation verify oci://wileyj/stacks-core:0.0.0.0.5 --repo wileyj/stacks-core --predicate-type https://slsa.dev/provenance/v1
  Loaded digest sha256:6f525b3fbbe049a88ee44797fea66930d9bc7d4a59b1ec3c671a4241386b3068 for oci://wileyj/stacks-core:0.0.0.0.5
  Loaded 2 attestations from GitHub API

  The following policy criteria will be enforced:
  - Predicate type must match:................ https://slsa.dev/provenance/v1
  - Source Repository Owner URI must match:... https://github.com/wileyj
  - Source Repository URI must match:......... https://github.com/wileyj/stacks-core
  - Subject Alternative Name must match regex: (?i)^https://github.com/wileyj/stacks-core/
  - OIDC Issuer must match:................... https://token.actions.githubusercontent.com

  ✓ Verification succeeded!

  The following 2 attestations matched the policy criteria

  - Attestation #1
    - Build repo:..... wileyj/stacks-core
    - Build workflow:. .github/workflows/ci.yml@refs/heads/release/0.0.0.0.5
    - Signer repo:.... wileyj/stacks-core
    - Signer workflow: .github/workflows/github-release.yml@refs/heads/release/0.0.0.0.5

  - Attestation #2
    - Build repo:..... wileyj/stacks-core
    - Build workflow:. .github/workflows/ci.yml@refs/heads/release/0.0.0.0.5
    - Signer repo:.... wileyj/stacks-core
    - Signer workflow: .github/workflows/github-release.yml@refs/heads/release/0.0.0.0.5

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.18%. Comparing base (c8cb3eb) to head (9f9c160).
Report is 31 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #6003      +/-   ##
===========================================
+ Coverage    83.61%   84.18%   +0.57%     
===========================================
  Files          527      527              
  Lines       384279   384686     +407     
  Branches       323      323              
===========================================
+ Hits        321301   323835    +2534     
+ Misses       62970    60843    -2127     
  Partials         8        8              

see 50 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 88a946a...9f9c160. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[CharlieC3]

[obycode]

this looks okay to me

[BowTiedDevOps]

LGTM

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.